Telecom operators providing network services have access to large quantities of data about subscribing users. For example, an operator can collect data about user behaviour, services used, charging records, web-pages visited, other subscribers called, etc. Furthermore, collected data can be analysed to reach conclusions, for example about user preferences. A subscriber would trust the operator not to forward such data to a third party.
However, the data referred to would be useful to a third party for business purposes such as, for example, creating a campaign or for commercial advertising. Normally, if transfer of such data for this type purpose is made at all, a business agreement is made between the operator and the party using the data. However, there is no technical means that guarantees that the using party does not use the received data improperly. For example, once the third party has the data in its possession there is no way for the operator to prevent the data being passed on to other (fourth) parties.
In some circumstances it is not enough that an operator signs an agreement with a third party. If the third party does not fulfil their part of the agreement, there is no easy way for the operator to prevent them from doing so except by giving them fines etc., even though the third party behaviour may directly affect the goodwill of the operator. There is therefore a need for the operator to ensure that the third party cannot forward the information and knowledge that they got from the operator to a fourth party.
One approach to protecting private data involves so called “Lock-Box” technology, as defined, for example, in WO 2006/068551 and EP 1611725. Lock Box is a communication system for end user control of personal data. More specifically, it provides mechanisms to control whether and how a requesting entity can get access to user data that is available at a data providing entity. The classical Lock Box system employs a central server (broker) which checks a privacy policy defined by the end user and, if allowed according to the policy, provides information necessary for the requesting entity to retrieve user data from the providing entity. However, a problem with Lock Box is that, once the requesting entity has obtained the user related data, there is no means to prevent it from further distribution.
One way for Lock Box to solve the problem would be to let the end user define a new privacy policy in the broker database for the requesting entity which now becomes another data providing entity. The drawback of this approach is that the user has to define a privacy policy for every possible user data receiver, which is a heavy burden for the end user even if it is mitigated by efficient policy handling in the broker (e.g. by using a generic/individual privacy tree and daemon node as described in WO 2006/068551.
Even if an operator limits export of user related data to that which does not obviously reveal private data, the exported data may still be correlated by the receiving party with data from other sources, enabling the derivation of private data such as, for example, the name of a user. This process is generally referred to as “inductive learning”. An operator may therefore be reluctant to provide any subscriber-related information to a third party because of the danger that the third party may be able to deduce additional sensitive information.
Thus, there is a need for a method and arrangement for control of processing of data such that user privacy is protected.